This transparency statement explains how we collect, use and share information gathered about members of the public or other entities in accordance with the Information Gathering Model Standards issued by the State Services Commission (SSC) for information gathering.
We gather information both directly and indirectly to fulfil our statutory powers, functions and duties as a regulator and Crown entity, including for the purposes of:
detecting, investigating and prosecuting offences (e.g. breaches of the Financial Markets Conduct Act 2013 (FMC Act), Financial Service Providers Act 2008 and Crimes Act 1961)
ensuring regulatory compliance, and preventing, investigating, and responding to non-compliance (e.g. meeting obligations under the FMC Act and compliance with licence conditions set by the FMA)
building intelligence about the market (e.g. collecting regulatory returns from licensees and conducting thematic reviews)
taking appropriate steps to respond to and mitigate threats to the physical security of staff, or the security of information or places (e.g. web hacking, physical security breach).
We take care to exercise our information-gathering powers lawfully and appropriately, and meet our obligations under the Financial Markets Authority Act 2011 (FMA Act) and the Financial Markets Legislation, Privacy Act 1993, Search and Surveillance Act 2012, Bill of Rights Act 1990, FMA Code of Conduct, and the SSC Code of Conduct.
This transparency statement applies to information gathering carried out by us, our contractors, and any other third parties engaged by us.
Information may be gathered on a voluntary or a mandatory basis. We collect information from a variety of sources, both physical and digital. These sources include:
individuals (e.g. in-person interviews, phone calls and emails);
other agencies or entities (e.g. financial market participants such as issuers and financial adviser organisations, financial product providers, banks, auditors, statutory supervisors, NZ government agencies, overseas regulators);
online sources (e.g. websites, social media and public registers); and
physical sources and locations (e.g. paper records and site visits).
Information collected directly
Much of the information we collect is provided directly by individuals or entities, or an authorised representative, as a requirement to fulfil statutory obligations and according to our powers as a regulator (e.g. financial reporting, or making an application for a licence under the FMC Act).
Where we require information that is relevant to us for considering and investigating compliance breaches and complaints, and initiating our own investigations or inquiries, we may gather information from individuals or entities using our statutory powers (e.g. issuing a notice for information or documents under the FMA Act).
As part of the use of our statutory powers and to gather and preserve information and evidence, we may:
require an original copy of a document to be provided to us;
record a compulsory or voluntary interview conducted in person or by telephone;
take screenshots of public websites and registers;
request written information in response to questions;
clone electronic devices when conducting search warrants; or
take photographs and/or notes during site visits.
We may request the assistance of another agency in relation to the exercising of our statutory powers (e.g. the New Zealand Police).
Information collected from another individual or agency
We may also receive or request information about an individual or entity from other individuals, entities, agencies or regulators. Any such information will be gathered in accordance with our statutory powers or other lawful authority and in compliance with the relevant legislation and any information-sharing agreements, memoranda of understanding or similar.
We may also collect publicly available information (e.g. websites, social media, registers and news reporting). We do this to assist us in carrying out any of our powers, functions or duties. When building our knowledge of an entity or individual using publicly available information, we take it in context of other information we hold about the entity or individual.
Information collected by third parties on behalf of the FMA
On occasion, where information gathering requires specialist capability that we don’t have within our organisation, we may engage a third party to collect information for us (e.g. having a computer forensics expert clone and analyse computer devices).
Information gathering by third parties (including about individuals) is subject to standard legal limits relating to privacy, access to private property, and the privacy/security of communications by individuals, among other things.
We take care to ensure third parties gather information lawfully and appropriately, and meet our obligations under the Privacy Act 1993, Search and Surveillance Act 2012, Bill of Rights Act 1990, FMA Code of Conduct, and the SSC Code of Conduct.
What we do with the information
How we use it
In order to carry out our functions, we may use the information we hold as evidence, and for analysis, risk assessment, audit and/or monitoring purposes.
Where we identify the need to use the information further, for example, to consider or investigate compliance breaches or complaints, or initiate our own investigations or inquiries, we will only do so if required or permitted by law, or with your consent.
We may use information we gather to inform our wider compliance and regulatory strategies. In doing so we will comply with our obligations under the Privacy Act 1993.
How we protect it
Information is stored, accessed and retained in accordance with our Privacy Policies, Information Disclosure Policy, Knowledge Management Policy, ICT Acceptable Use Policy, and the SCC Code of Conduct, the FMA Act, the Privacy Act 1993 and the Public Records Act 2005.
In 2018 , the Financial Markets Authority entered into a contract with Microsoft to store our business applications and data on cloud based external servers. We are satisfied that Microsoft’s Azure and Office 365 services will meet our needs while protecting individual privacy and the confidentiality of our information generally. Our assessment of the security of personal information held in this way is consistent with the Privacy Commissioner’s evaluation in undertaking its own transfer of applications and data to Microsoft servers.
We will store the FMA’s data in Microsoft’s data centres in Australia. The Privacy Commissioner has confirmed that he is satisfied that the privacy laws in Australia provide an equivalent level of protection to New Zealand law.
Microsoft’s terms of service, along with local and overseas privacy regulations, will make sure that we have control over the data while we store it in Microsoft’s data centres. Microsoft also undergoes regular independent audits of its compliance with international standards.
Our move to an externally hosted environment is consistent with Government direction to Government agencies to accelerate the adoption of cloud services in preference to traditional IT systems, to become more cost-effective, agile and secure.
We undertake periodic reviews to ensure we comply with our information-gathering obligations as part of our internal assurance activities.
When we share it
We may share information where necessary in order to properly carry out our functions or to assist another agency or overseas regulator in fulfilling its functions. This may include when we are considering and investigating compliance breaches or complaints, or initiating our own investigations or inquiries.
Information is only shared in accordance with our statutory powers, with appropriate caveats and/or controls, and in compliance with the relevant legislation and any information sharing-agreements with other agencies or overseas regulators.
The FMA is subject to the Official Information Act 1982. This means that information will be made available to a requestor unless there is a good reason to withhold it. There are a number of reasons information may be withheld, including personal privacy and protecting information that has been received in confidence. Section 59 of the FMA Act also requires us to maintain confidentiality of information and documents received, other than in specified circumstances.